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Abstract 

Infrastructures are group-like objects that make their appearance in arithmetic geometry 
in the study of computational problems related to number fields and function fields over finite 
fields. The most prominent computational tasks of infrastructures are the computation of the 
circumference of the infrastructure and the generalized discrete logarithms. Both these problems 
are not known to have efficient classical algorithms for an arbitrary infrastructure. Our main 
contributions are polynomial time quantum algorithms for one-dimensional infrastructures that 
satisfy certain conditions. For instance, these conditions arc always fulfilled for infrastructures 
obtained from number fields and function fields, both of unit rank one. Since quadratic number 
fields give rise to such infrastructures, this algorithm can be used to solve Pell's equation and the 
principal ideal problem. In this sense we generalize Hallgren's quantum algorithms for quadratic 
number fields, while also providing a polynomial speedup over them. Our more general approach 
shows that these quantum algorithms can also be applied to infrastructures obtained from 
complex cubic and totally complex quartic number fields. Our improved way of analyzing the 
performance makes it possible to show that these algorithms succeed with constant probability 
independent of the problem size. In contrast, the lower bound on the success probability due to 
Hallgren decreases as the fourth power of the logarithm of the circumference. Our analysis also 
shows that fewer qubits are required. We also contribute to the study of infrastructures, and 
show how to compute efficiently within infrastructures. 
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1 Introduction 

One of the most important challenges in quantum computing has been the task of finding efficient 
algorithms for problems that are intractable on a classical computer. Following Shor's discovery 
of a polynomial time quantum algorithm for factoring integers and solving the discrete logarithm 
problem [23 1, the key ideas of the period finding algorithm were generalized and led to the framework 
of the hidden subgroup problem (HSP) |14j . The major algorithmic success in this context is that 
the abelian HSP can be solved efficiently by a quantum algorithm (while classical algorithms are 
inefficient). This quantum algorithm can also be viewed as determining the structure of a hidden 
lattice A inside Z n . 

An important restriction of this quantum algorithm is that it only works for integral lattices. But, 
Hallgren overcame this obstacle in the one-dimensional setting by generalizing Shor's period finding 
algorithm to the case where the period is irrational |lipi3j (see also |15pi9|). This enabled him to 
give polynomial time quantum algorithms for computing the regulator of a quadratic number field 
and solving the principal ideal problem. Schmidt and Vollmer |20p21] and Hallgren |12j presented 
a polynomial time quantum algorithm for determining a hidden lattice in R n for fixed n. They 
showed that computing the unit group and solving the principal ideal problem in number fields 
of fixed unit rank can be solved efficiently with this algorithmic In stark contrast to Z n , the 

1 Hallgren also showed in [12] how to compute the class group of a number field of fixed unit rank. 
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success probability of the above quantum algorithms for finding a hidden lattice in M n decreases 
exponentially with the dimension, making them inefficient with respect to the dimension. Thus, 
an important open problem is to determine whether there exist quantum algorithms whose success 
probability decrease less rapidly with the dimension. 

In this paper, we initiate the study of quantum algorithms for infrastructures. These group-like 
structures are hidden beneath the number theoretic details of the above quantum algorithms. They 
play an important role in the research on computational problems in global fields, i.e. number fields 
and function fields over finite fields [6] (arithmetic geometry provides a unified treatment of global 
fields |17]). For instance, computing the unit group and solving the principal ideal problem can both 
be translated to well defined problems of infrastructures, namely, the computation of the lattice 
characterizing the periodic symmetry of the infrastructure and the computation of generalized 
discrete logarithms in these group-like structures. Both these computational problems associated 
with the infrastructures are not known to have efficient classical algorithms. 

In this paper we focus on arbitrary one-dimensional infrastructures and give polynomial time quan- 
tum algorithms for computing the circumference and for computing the generalized discrete log- 
arithms. One-dimensional infrastructures arise from global fields of unit rank, and include the 
special case of real quadratic number fields studied by Hallgren [13] and complex cubic and quar- 
tic number fields [2], thereby providing further applications. Our algorithms perform better than 
the algorithms of |13j when applied to these problems. The proposed algorithms provide a super 
polynomial speedup over classical algorithms. In addition, we make several other contributions. 
Firstly, although our algorithms are given in a more general setting, they have lower complexity 
and a higher success probability than those in JTTJ|T3]. In fact, all our algorithms can be shown to 
have a success probability that is lower bounded by a constant, which is independent of the problem 
size. For instance, our analysis shows that the success probability of computing the circumference 
is a constant and at least 10 -5 , in contrast to [13] which implies a lower bound less than 10 -9 and 
decreases as a fourth power of the circumference. It is also better than the result of [19] which is 
lower bounded by 2~ 26 . Secondly, our results when specialized to quadratic number fields provide 
a simpler treatment of the computational problems, and can be easily applied without extensive 
knowledge of number theory. Thirdly, we introduce an interesting technical result that could have 
wider applicability in the analysis of quantum algorithms employing quantum Fourier transform. 
Finally, we make a contribution to the study of one-dimensional infrastructures by showing how 
to perform finite precision computations efficiently within the infrastructures. These are useful 
even in the context of purely classical algorithms for infrastructures. A natural direction for fur- 
ther investigation is the generalization of the proposed quantum algorithms for higher dimensional 
infrastructures. These are presented in [10] . 

This paper is structured as follows. We first introduce the mathematical preliminaries, defining 
precisely the notion of an infrastructure and the computational problems associated with them. We 
then show that these infrastructures can be endowed with a group structure and review the relevant 
results related to the embedding of the infrastructures into circle groups. We then introduce group 
homomorphisms that are key to solving the computational problems associated to them. We also 
show that these homomorphisms can be computed efficiently. These results should be of interest 
beyond the present context. 

In section [3l we generalize the notion of periodic quantum states and prove a key technical result 
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related to the analysis of Fourier sampling. This result simplifies the analysis of the algorithms and 
leads to a tighter bound on the success probabilities of the proposed algorithms. In this section, 
we give a quantum algorithm for estimating the period of a pseudo-periodic quantum state. This 
result could be applicable to situations beyond the current setting of infrastructures. 

In section U we show how to set up periodic quantum states from infrastructures and use the quan- 
tum algorithm proposed in section 3 to estimate the circumference of the infrastructure. In section[5j 
we present the quantum algorithm to solve the generalized discrete logarithm problem. 

2 Infrastructures 

We define infrastructures and state the two main computational problems associated to infrastruc- 
tures. We restrict our attention to the one-dimensional infrastructures. 

2.1 Definition of infrastructures 

We refer the reader to [5,6,8 for more information on infrastructures. Our presentation follows 

urn- 1 

Definition 1 (Infrastructure). An infrastructure of circumference R is a pair (X,d) where X is a 
finite set and d : X R/i?Z an infective function on X. 

Injectivity of d ensures that no two distinct elements of X have the same distance. We define a 
function on the set X called the baby-step, bs : X — > X as follows. Consider the following set 

S x = {r e R | r > and d(x) + r mod R G d(X)}. (1) 

Let f x = minS x . Then bs(x) = x' such that d(x') = d(x) + f x mod R. We also define the relative 
distance function 

A bs : X -> R where A bs (x) = f x = mmS x . (2) 

Informally, the bs(x) gives the element next to x. The circumference of the infrastructure, denoted 
R, can be expressed in terms of this relative distance function as follows: 

m—l 

i?=^A bs (x i ). (3) 

i=0 

It is clear that bs -1 , the inverse of bs, is well-defined. Further, a group-like structure is imposed 
on the set X by means of a binary operator, called the giant-step. Consider the set 

S XtV = {r G R | r > and d(x) + d(y) + r mod R € d(X)}. 

Let f X y = min S X y Then gs : X x X — > X is defined as: 

gs(x, y) = z such that d(z) = d(x) + d{y) + f x>y mod R. (4) 
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We define the relative distance function A gs as: 

A gs :IxI->l where A gs (x, y) = f X;y = min S x , y . (5) 

The giant-step is commutative, but not associative. It is "almost associative" in the sense that 
for two arbitrary elements x,y £ X the giant-step gives an element z £ X whose distance satisfies 
d(z) « d(x) + d(y). 

In infrastructures arising out of quadratic number fields the elements of the infrastructure corre- 
spond to the principal reduced ideals of the number field. The distance function is the norm of the 
ideals. One can cycle through these ideals using the so-called reduction operator [15]; this function 
corresponds to the baby-step. One can also define the product of ideals which after reduction 
corresponds to the giant-step, see [T5] , 

The definitions of bs and gs and the relative distance functions Ab s and A gs may suggest that 
we need R and the distance function d to be able to compute them. However, this is not the 
case. These functions can be computed efficiently without the knowledge of R or the distance 
function d. To illustrate this point, let us explain how (discrete) infrastructures can be considered 
as generalizations of finite cyclic groups. 

Definition 2 (Discrete infrastructure). An infrastructure is said to be discrete if its circumference 
R is a positive integer and its distance function d is integer-valued, i.e., d : X <—> 7LjRTL. 

Example 1 (Finite cyclic group). Suppose G = (g) is a finite cyclic group of order R and generated 
by g. Then we can form an infrastructure out of G as follows. We let X = G and define d(h) = 
log 9 h, for any h £ G, since every element h £ G is of the form g d ^ for some d{h) £ Z. The baby 
step bs of the infrastructure corresponds simply to multiplication of elements x by the generator g, 
while the giant step gs corresponds to the multiplication of two elements x and y in G. The relative 
distance functions A^ s and A gs are constant and take on the values 1 and 0, respectively. 

We can now interpret the order of G as the circumference of the infrastructure. The distance 
function d{x) corresponds to the discrete logarithm of the element x with respect to the base 
g. This example makes it clear why we cannot necessarily determine the circumference and the 
distance function efficiently, even though we can efficiently evaluate the baby and giant steps and 
their corresponding distance functions. 

2.2 Computational problems 

The main computational problems related to infrastructures are the computation of the circumfer- 
ence and the computation of generalized discrete logarithms. 

We consider only infrastructures that satisfy the assumptions below. These are necessary to be 
able to carry out basic arithmetic operations in infrastructures in polynomial time. The cost is 
measured with respect to the input problem size n. 

Al) The circumference satisfies R < 2 poly ( n ). 

A2) Any element x £ X can be represented by a bit string of length poly(n). 

A3) The elements bs(x), bs _1 (x), gs(x,y) can be determined in time poly(ra) for all x,y £ X. 
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A4) The relative distances A bs (a;) and A gs (x,y) cannot necessarily be computed exactly. We only 
obtain approximate values A bs (;c) and A bs (x,y) with 

|A bs (x) - A bs (x)| < — and |A gs (x,y) - A gs (x,y)\ < — (6) 

in tim^l poly(n, m). 

A5) The minimum distance d m ; n between any two elements of the infrastructure is bounded from 
below by 

d min = min{A bs (x)} > ^^y. (7) 

A6) The maximum distance d max between any two elements of the infrastructure is bounded from 
above by 

cW = max{A bs (x)} < poly(n). (8) 

A7) There exists a positive integer k < poly(n) and a positive (rational) number d^ > poly(n) 
such that for all x € X we have 

fc-i 

^A hs (hs l (x))>d- k , (9) 

i=0 

where bs l denotes the i-fold application of bs. In words, any k consecutive elements span a 
distance of a least dj,. 

We emphasize that these assumptions are not restrictive; in fact, they are routinely made in the 
work on infrastructures. We have spelt them out explicitly for expository reasons. In particular, 
infrastructures arising from quadratic number fields satisfy all the assumptions made above; further 
justification for these assumptions for number fields is provided below. The first three assumptions 
are obvious. The relative distances A bs and A gs could be arbitrary real numbers and, thus, we 
cannot always obtain the exact values. Assumption A4 is made because we cannot perform arith- 
metic with arbitrary real numbers. Assumptions A5 - A7 ensure that we can compute in certain 
circle groups associated to infrastructures and evaluate certain homomorphisms into these groups 
efficiently in time poly(n). 

The computational problems in infrastructures are : 

• Computation of the circumference: 

determine an m-bit approximation of the circumference R 

• Generalized discrete logarithm problem: 

given an element y £ X, determine an m-bit approximation of d(y) 

The main contributions of this work are efficient quantum algorithms for infrastructures satisfying 
assumptions Al - A7. These algorithms make it possible to determine [R\ and L^(y)l m time 
poly(n), where the notation [r] means either the floor or ceiling of the real number r. Simple 



2 Note that m here and elsewhere in the rest of paper is not related to the number of elements in the infrastructure. 
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classical post processing allows us to obtain efficiently m-bit approximations from these integral 
approximations. For the sake of completeness, we prove later how this can be accomplished. 

We now justify the validity of the above assumptions in the case of infrastructures from number 
fields of unit rank 1 (such number fields give rise to one-dimensional infrastructures). 

Al) This is shown in [18] (see also pQ). 
A2) This is shown in [24\ Corollary 3.7]. 

A3) In [2j, it is shown that the baby steps and giant steps can be computed in 0(D e ) for arbitrary 
e > (where D is the absolute value of the discriminate, which is bounded by 2 poly ( n )). 
However, if one traces through their references and updates the analysis of the running time, 



one finds that everything is polynomial in log(D) and not just subexponential [9]. 
A4) This assumption is valid since one can approximate logarithms of absolute values of elements 

in number fields whose size is polynomially bounded in n. 
A5) In [221 Example 9.4], it is shown that d m { n can be of size 

1/ / 2 poiy(«). i n (j). Fontein informed 

us that A5 holds in general. 
A6) This is shown in [21 Proposition 2.7 (i)]. 
A7) This is shown in [21 Proposition 2.7 (ii)]. 

The infrastructures from function fields are always discrete. This means that there are no issues 
with finite precision. Therefore, the above computational problems can be solved directly with the 
standard hidden subgroup approach. This is because the circle groups corresponding to discrete 
infrastructures are just finite cyclic groups. In [9], Fontein informed us that the relevant assumptions 
also hold in infrastructures from finite fields. 

2.3 Circle groups from infrastructures 

We now show that infrastructures naturally give rise to circle groups that are isomorphic to M/RZ. 
This isomorphism is the key to solving the two computational problems in quantum polynomial 
time. Here and in the next two subsections, we assume that we can compute At, s and A gs ex- 
actly. 

Picture the elements of X to be embedded in a circle of circumference R as follows. They are placed 
along the circle starting with xo at the topmost point of the circle and then moving clockwise. Their 
position is determined by the distance function d. For instance, the element Xj is associated to the 
point d{xi) on the circle as depicted in figured) 

This embedding alone does not yet give rise to a valid group structure because d(x{) + d(xj) is 
not necessarily an element of d(X). To obtain a group, we start with the set IxR and the map 
if) : X x R R/RZ defined by 



for all (x, /) £ I X 1. We call this the absolute distance of the pair (x, /). 

For each d G R/.RZ, there exist infinitely many pairs (x, /) G X x R with vp(x,f) = d. To 
avoid this infinitude, we continue by defining the equivalence relation = on X x R: two pairs 
(x, /), (y,g) £ X x R are said to be equivalent if and only if tp(x, /) = ip(y,g) (which is the same 
as d{x) + / = d(y) + g mod R). We denote the equivalence class of (x, /) by [x, /]. 



iP(x,f) = d(x) + f 



(10) 
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X X\ 



Figure 1: Embedding an infrastructure into M./RX 
Now the set X xM/ = can be endowed with a group structure as follows. 

Proposition 1. The absolute distance map ip in equation U0\) is a group isomorphism from Q := 
1x1/ = to M./RZ, where the (commutative) group operation on Q is defined by 

[x,f] + [y,g] : = [gs(x, y), f + g - A gs (x, y)] (11) 

for arbitrary pairs (x, /), (y,g) £lxM. 

Proof. The proof is straightforward. We just verify that ip is a group homomorphism. Letting 
tp(x, f) = d{x) + / and ip(y, g) = d(y) + g, we obtain ip(gp(x, y),f + g- A gs (x, y)) = d(gs(x, y)) + 
f+g— A gs (x, y). By the definition of the giant-step it holds that d(gs(x, y)) = d(x)+d(y)+A gs (x, y). 
Thus, d(gs(x, y)) + f + g- A gs (x, y) = d(x) + d{y) + f + g = rp(x, f) + if>(y, g). □ 

2.4 Group arithmetic based on /-representations 

We have to use "nice" representatives for the equivalence classes of Q to be able to compute within 
this group efficiently. To this end, we introduce /-representations. Intuitively, the /-representations 
fill in the missing points in the circle WL/RZ, i.e., the set of points (M./RX) \ d(X). 

Definition 3 (/-representation). Let (X,d) be an infrastructure. A pair (x, f) E Jxt is said to 
be an f -representation if < f < A^ s (x). We denote the set of all f -representations by Rep(X). 

The following lemma was shown in [5] (see Proposition 2 and Corollary 1 therein) in a slightly 
less general setting. We include this lemma for completeness. An important aspect of this lemma 
is that the group operation can be realized without having any knowledge of R or the distance 
function d (except for the knowledge that is is revealed indirectly through the particular interplay 
of functions bs, gs, Ab s , and A gs ). 

We mention that for arbitrary infrastructures, neither this lemma nor any simple method make it 
possible to compute inverses in Q. However, in the case of infrastructures in global fields there is an 
efficient classical way to compute (approximate) /-representations of inverses in the corresponding 
circle groups. 




8 



Lemma 2. The group operation in Q can be efficiently realized by using f -representations to encode 
the equivalence classes. More precisely, it takes at most k \2d nmx /d^~\ = poly(n) invocations of baby 
steps to obtain the f -representation corresponding to the sum of two elements of Q . 



In general, the pair (x", /") := (gs(x, x'), /+/' — A gs (x, x')) G X x R is not a valid /-representation. 
The task now is to find the /-representation that encodes the same equivalence class in Q as (x", f"). 
We use the bounds — d max </" = / + /' — A gs (x, x') < f + f < 2d max , where d max is the maximum 
distance between two consecutive elements of the infrastructure. 

If /" < 0, then we iteratively replace (x", f") with (bs _1 (x"), /" + Ab s (x")) until it just becomes 
positive. If /" > 0, then we iteratively replace (x" , /") with (bs(x"), f" — A^ s (x")) until it is minimal 
while being nonnegative. Observe that this reduction process preserves the absolute distance. 
Moreover, it takes at most k\2d mSLX /d^] = poly(n) steps to obtain to the canonical representative 
in Rep(X). □ 

From now on, we identify Q with Rep(X) and use (x, /) G Rep(X) to denote the group elements 
instead of [x, /] to simplify notation. 

The corollary below is a simple consequence of the above lemma. We state it explicitly because 
this result it is extensively used in the quantum algorithms. 

Corollary 3 (Double Sz multiply). Let (x,/) G Q be an arbitrary group element and a G Z an 
arbitrary nonnegative integer. Then, it takes at most 0{k\2d m&x /djf\ log(a)) = poly{n) log(a) invo- 
cations of baby steps and at most 0(log(a)) invocations of giant steps to obtain the f -representation 
corresponding to a ■ (x, /). 

Proof. The action of Z on the commutative group Q is defined by 



Consider the special case of computing a ■ (x, /) for a = 2 l with some i. This takes at most 0(i) 
steps: 



Proof. Let (x,/), (x',f) G Rep(X). Then, we have 



[x, /] + [x', /'] = [gs(x, x'),f + f- A gs (x, x')\ . 



a-(x,f) := (x,/) + (x,/) + --- + (x,/) . 

.. ' 



a times 



(*,/) 

2(x,/) 



(*<°\/<°>) 

/(°)) + (x(°), /(°)) = (gs(x(°), xW), 2/(°) - A gs (x(°), x 
(x (1) ,/ (1) ) 



(0))) 



2\x,f) = (x( i - 1 ),/^" 1 )) + (x^ 1 ),/( 1 - 1 )) 

= (gs(x(- 1 ),x(- 1 )),2/(- 1 ) - Ag^x^ 1 )^^ 1 ))) 



(12) 



In each step, we apply the above lemma to ensure that (x^\ /W) are valid /-representations. 
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Now suppose a = b{2 1 + b^i2 l 1 + • • • + bo2° in binary representation. Then, a ■ (x,f) can be 
computed as 

i 

a-(x,f) = J2br( xU) J {j) )- 

3=0 

with at most i additions. We again use the above lemma to ensure that the partial sums are valid 
/-representations. 

In total, the whole process takes at most 0(log(a)) giant-steps and 0(k\2d maiX /dj c ] log(a)) baby- 
steps. □ 



2.5 Group homomorphisms from R and Zxl into circle groups 

In this subsection, we continue to assume that we can determine the functions Ab s and A gs exactly, 
and compute with arbitrary real numbers. In the next subsection, we will relax this assump- 
tion. 

Definition 4. Let h : R — >• Q be the surjective group homomorphism, where h(r) is defined to be 
the unique /-representation (x,f) G Rep(X) with (a?o,r) = (x,f). 

Recall that we define the distance function d such that d(xo) = 0, thus (xo,0) is the identity of 
Q. 

The statement of following lemma is obvious. We formulate it explicitly since it provides the 
intuition required to understand the quantum algorithm for computing the circumference. 

Lemma 4. The kernel of h is equal to KL. Thus, h is a periodic function on R with period R. 

Lemma 5. Let r £ [0, B] C R, where B is an arbitrary (but fixed) positive real number. Then, 
we can determine the exact value h(r) using 0(log(B)) giant-steps and 0(log(B)k\2d max /d^\) = 
0(log(B)poly(n)) baby-steps under the assumption that At, s and A gs can be computed exactly. 

Proof. In general, (xo,r) is not a valid /-representation. Thus, we need to find the corresponding 
/-representation. If r is small and positive, then we can use baby-steps to find it with at most 
k\r/dj^\ invocations. 

If r is large, then the baby-step method is not efficient anymore. We have to use giant-steps as 
well. The idea is to use the double and multiply technique of Corollary El Let x^ = bs fc (xo). 
Then d(x^) > <%■ Let a = [r/d(x^,)], where [x] denotes the nearest integer to x. We can compute 
a - (xfc,Q) = (x, /) using 0(log(a)) = 0(log(B)) giant-steps and 0(\og{B)k\2d ra&x / dj^\) baby-steps. 
Note that (x,f) = (xQ,ad(x^,)). But, \ad(x%) — r\ = \[r / d(xj^)}d(x^) — r\ < d{xj.)/2. Therefore, 
(x, /) is at most within a distance of d{x^)/2 from r. Thus we can find h(r) by using no more 
than k additional invocations of either bs or bs _1 . The overall time complexity of evaluating 
h{r) is therefore 0(log(B)k\2d max /d^\) = 0(log(-B)poly(n)), since d max and k are 0(poly(n) by 
assumptions A6 and A7. □ 

Similar ideas can be applied when r is negative. The method proposed in Lemma [5] relies essentially 
on the group arithmetic of Q and thus is quite different from a generalization of the binary search 
method. 
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Definition 5. Let x £ X be an arbitrary (but fixed) element of the infrastructure. Let g : Z x 
M — > Q be the surjective homomorphism, where g(a,r) is defined to be the unique f -representation 
corresponding to 

a-(x,0)+h(r). (13) 

We note that g(a,b) is same as the /-representation of h(ad(x) + b), where d{x) is the distance of 
x. 

The following statement on the kernel of the homomorphism g is obvious. 
Lemma 6. The kernel of the above homomorphism g is equal to 

{(a, r) : r = — ad{x) modi?}. 

Corollary 7. Let A be an arbitrary positive integer and B an arbitrary positive real number. 
Then, we can determine the exact value g(a,b) for all pairs (a, r) S {0,1,..., A — 1} x [0,B] in 
time O ((log A + log B) poly (n)) under the assumption that Ab s and A gs can be computed perfectly. 

Proof. By definition g(a,r) = a ■ (x,0) + h(r). The computation of a ■ (x,0) can be performed in 
0(log(A)k\2d max /dj : ]) = 0(log(A)poly(n)) time by CorollaryEJ while the computation of h(r) can 
be performed in 0{\og{B)k\2d m&x / df^\ ) = 0(log(B)poly(n)) time by Lemma [5j The final group 
addition in Q takes at most k = poly(n) baby-steps, by Lemma [2j □ 



2.6 Efficient approximate group arithmetic and evaluation of the homomor- 
phisms from M. and Z x R 

The previous assumption that we can compute Ab s and A gs and represent arbitrary real numbers 
is clearly an idealization. We made this assumption at first because we can explain the intuition in 
a simpler and more elegant way when the homomorphisms h and g are perfect. We now drop this 
assumption and work instead with the approximate versions Ab s and A gs . 

Let L be some large positive integer. We only consider evaluation points r that are rational numbers 
with denominator L. 

Let h(r) = (x,f) be the perfect /-representation with (x,f) = (xo,r). We can only determine an 
approximate h(r) = (x,f) € X X R of h(r). This approximation can be realized efficiently and has 
the following two properties: 

PI. The first component is off at most by either a baby-step backward or forward, i.e., x £ 
{bs _1 (x), x, bs(x)}. 

P2. If we have the promise that 

\ < f < A bs (x) - i (14) 
holds, then the first component is correct, i.e., x = x, and the second component / satisfies 

|/-/|<^. (15) 
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Later, we will show that all evaluation points r necessary for the quantum algorithm are such 
that the condition in equation (I14D holds with high probability by adding a random shift to the 
evaluation points. 

Lemma 8 (Approximate homomorphism h). Let L be a positive integer with d m i n > 1/L. We 
consider only evaluation points of the form r = k/L with r < B. Let h(r) = (x,f) be the perfect 
f -representation. Then, we can compute an approximate pair h{r) = (x,f) that satisfies PI, P2. 
The running time is poly(\og(B),log(L),n). 

Proof. We analyze what happens if we run the algorithm in Lemma 02 but now rely on the ap- 
proximate versions A^s and A gs . Recall that the parameter m characterizes the precision of the 
approximations. The maximal deviation between the approximate and perfect values is smaller 
than l/2 m . 

We use dacc(') to denote the corresponding approximate accumulated distances of the (intermediate) 
/-representations and their first components. We use d acc ( - ) to denote the correct accumulated 
distance of the representations and elements (these distances exist even though we cannot always 
compute them). The accumulated distances are not taken modulo R and take into account how 
the /-representation is generated. A key observation that we need in the proof is that d acc (x, /) = 
dace (5) + / and Jacc(i, /) = d &cc {x) + /, so that d acc (x, /) - d acc (x, /) = d acc (x) - d acc (£). 

The characterizing condition of the perfect /-representation is 

d&ccix) < r < d acc (x) + A bs (aO . (16) 

We can only guarantee 

da,cc{x) < r < d acc (x) + A bs (i) (17) 

for the approximate pair (x,f). 

Assume that m has been chosen to be sufficiently large so that 

|<2acc(£) - daccOr)! < — (18) 

holds. Together with equation (|17|) this implies 

4cc(x) " 2^ < r < d acc (x) + A bs (x) + ^ + . (19) 

This condition on x is weaker than the condition of the perfect x in equation (|16p . But since 
l/2 m < 1/L < d mm we must have x G {bs _1 (x), x, bs (x)}, depending on which of the three cases 
f < d a _ cc (x), dac C (£) < r < d aiCC (x) + Ab s (x), or d acc (x) + Ab s (5) < r occurs. We cannot have a 
deviation by more than one baby-step backward or forward because otherwise equation (|17|) would 
not be satisfied. 

If we know that / satisfies 4- < / < Ab s (x) — 4, then we can conclude that x = x must hold. This 
is because the first and third cases are excluded. The condition on / is automatically satisfied in 
this case since f = r — d acc (x), which is the same as r — d acc (x). 
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We now show how to choose m so that the condition in equation (|17p holds. The algorithm in 
Lemma[5]has two steps. In the first step, we compute a ■ (xj.,0), where a = [r/d(x^.)]. This gives 
us a representation (x',f), such that 



\dacc{x',f) - r\ < 



Then we apply a sequence of baby-steps to obtain an /-representation (x,f), which satisfies 
dacc(x,f) = r. 

Working with Ab s and A gs , in the first step we actually compute (x',f) an approximation of 
o • (xfo 0), where d = [r/d(x^)]. 

Let us analyze the error in this computation. The computation of a ■ (x^.,0) itself can be broken 
down into two parts: (i) computation of representations of the form (x^\ f^) which approximate 
2*(x£,0) and (ii) summing O(loga) such representations. 

The error at the very beginning eo satisfies 

eo := |^c(£ (Q) )-dacc(5 (0) )| = \dUx m J {0) )-d, cc (x {0 \f m )\ < ^ • 

Note that dacc(a^) > d^ holds because if we get a value strictly smaller than d^ we can replace it 
by dfc, because of A7. The error in the ith step 

ej . | d acc ) dace ip^' ) I I dace ^ j ^) *^acc ip^~ > ^) | 

satisfies the recursion 

i h Ylrl 1 

(20) 



1 k 

&i < 2ej_i H 1 

* 2 m 9 m 



fir. 



The recursion relation can be easily explained by considering equation (|12p . The first term is due 
to the fact that the error in Z^ -1 ^ is multiplied by 2, the second term is due to one giant-step, and 
the third term due to 0(/c[2d max /dfcl) baby-steps used to obtain a valid /-representation. This 
implies 



e; < 



1 



k + l + k 



2(L 



dr 



(21) 



In order to obtain (x',f), we have to sum O(loga) such /-representations, where i varies from 
to log 5—1. Each sum adds an additional error term due to the giant step and the baby-steps used 
for reduction. Therefore the error at the end of the first step is given by 

e := \dacc(x) - dacc^Ol = \d^cc(x', /') - d &cc (x\ f')\ 



— [k + l + k 

2m 1 



2d, 



< 



r + d~ k 
2 m dz. 



k + \ + k 



2d v 



log a . 
+ -^- l + k 



+ 



2cL 



log(r/4 + 1) 



l + k 



2d n 



where we used the fact that 5 < r/dj, + 1. The /-representation (x',f) is at most at a distance^ 
°f d max k from r. Thus (x f , /') is at most a distance of (e' + d miLX k) from r and we need to take at 
most k\(e' + d max k)/dj^\ baby-steps to obtain (x,f). 



We can tighten this by a factor of 2. But this suffices. 



13 



The error in the accumulated distances of the final representation (x, f) is given by 

E • |^acc(^) ^aceO^OI l^accO^)/) ^acc (•£)/) | 



6 ~\~ d max k 
d k 



The dominant term in the error is the first term e' , as it is proportional to r, while the second term 
is proportional to r/2 m and therefore does not contribute too much as m is large. We can make 
the error smaller than 1/2L as required in equation f|18|) by choosing m = poly(log(-B), log(L)). □ 

The proof does not actually require that the evaluation points are of the form k/L. 

Analogous results hold for the homomorphism g. We state them without proof since the above 
argument can be easily adapted. 

Let g(a,r) = (x,f) be the perfect /-representation with (x,f) = (xo,r). We can only determine 
an approximate g(a,r) = (£,/) G X X R of g(a,r). This approximation can be realized efficiently 
and has the properties PI, P2. 

Lemma 9 (Approximate homomorphism g). Let L be a positive integer with d m [ n > 1/L. We 
consider only evaluation points of the form (a, r) with a G {0, 1, . . . , A — 1} and r = k/L G [0, B] . 
Let g(a,r) = (x,f) be the perfect f -representation. Then, we can compute an approximate pair 
g(a,r) = (x,f) that satisfies PI, and P2. The running time is poly(log(A),log(B),\og(L),n). 



3 Quantum algorithm for approximating the period of pseudo pe- 
riodic states 

In this section we generalize the notion of periodic states introduced in [16j . We assume that the 
quantum states are elements of a g-dimensional complex Hilbert space, denoted by C q . 

3.1 Pseudo-periodic states 

Definition 6 (Periodic state). A quantum state in C q is periodic with period r G Z at offset 
k G {0, 1, . . . ,r — 1} if it is of the form 

1 

|^) fc , r := — ^|A:+jr), (22) 

where p = [(q — k — l)/r + lj . We denote a periodic state with period r at offset k by \ip)k, r - 

Periodic states can be created by the evaluation of injective functions over a uniform superposition. 
To be more precise, we create the state \tp) = q~ x l 2 Yli=o 101/(0)' an d measure the second register. 
We assume that / is periodic with period r. It is possible to recover the period r by means of 
Fourier sampling. In fact, the period can be recovered even when r is irrational. For this reason, 
we generalize these periodic states to a larger class of quantum states called the pseudo-periodic 
states. 
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Definition 7 (Pseudo-periodic state). A pseudo-periodic state in C q , with possibly irrational period 
r£l, is of the form: 



1 

W)k,r = ^El^ + ^D' ( 23 ) 
VP 3=0 

where k S {0, 1, . . . , [rj} and p is the largest integer such that \k + (p — l)r] < (q — 1). 

Please note that [x] can be either [x\ or \x~\ , therefore, p take any integer value in the set 
{[(q — 2)/rJ, . . . , [q/r\ + 1}, depending on the value of the offset k. If we assume that r > 2, 
then we can restrict p £ {[q/r\ — 1, [q/r\, [q/r\ + 1}. 

The weakly periodic functions defined in [13] are one class of functions which can induce such 
pseudo-periodic states. As we show in this section, we can recover the period even when the state 
is "almost" periodic. We observe that in the definition of the periodic states above, there is an 
implicit dependence on the offset k; this offset is usually the outcome of some measurement, and 
therefore random. 



3.2 Perturbed geometric sums with missing terms 

The following lemma is at the heart of the analysis of the quantum algorithms for infrastructures. It 
is crucial for understanding the performance of these algorithms. The special case J = {0, 1, . . . , n— 
1} suffices to bound the probability of the algorithm for computing the circumference. The more 
general case where J is a proper subset of {0, 1, . . . , n — 1} is necessary for the analysis of the 
quantum algorithm for computing the discrete logarithms. 

Lemma 10 (Perturbed geometric sums with missing terms). Let oj be the nth root of unity e 2m / n ; 
n > 2, 6 an arbitrary real-valued function defined on J C {0, . . . , n — 1} satisfying the following 
conditions on 9j and 

\0j\ < n/32 



\J\ > n(l - c 5 )/(l - 2sin(vr/32)) 



(24a) 
(24b) 



where 



, sm(7r5) 
c s = sinc(£) = — tf\6\<l. 

7T0 



(25) 



Then the following inequality holds: 



1 

w 



> l-2sin(7r/32) - (1-cg) 



n \ ' 



(26) 



Proof. Triangle inequality and upper bound on the absolute value of the unperturbed geometric 
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sum without missing terms imply 





+ 


E- ij 


> 


Y uSi +Y u5i 


jej 











UJ 



Sj 



n-l 

E 

j=0 

sin(7T(5) 



UJ' 



6n 



UJ" 



> 



sin(7T(5/n 
sin(7r<5) 



ncs, 



id i 



-id/2 _ it?/2 1 



The equality in equation ()27[) follows from 1 1 — e 
i? € R. For the inequality in equation (I28p we used the fact that | sin i?| < |t?|, when < ir/2. 



(27) 
(28) 

2| sin(i9/2)| holding for all 



Subtracting the absolute value of the sum over J from both sides of equation (|28p and dividing by 
\J\ yields 



1 

W\ 



Y" 



Sj 



> cs 

> c 5 



n 



1 

\J\~\J\ 
n J 

W\~W\ 



Sj 



n 



(29) 



We now bound the "perturbed" geometric sum. To this end, we use some basic ideas from quan- 
tum information theory. Define the states = Yljej^^j) an d |e) = X^jej" * ne 

projector P = |e)(e|, and the diagonal unitary matrix £/ = diag(w 6, °, . . . , u/i- 7 !- 1 ). Observe that 
the square of the absolute value of unperturbed geometric sum is equal to ||P|^)|| 2 and that of the 
perturbed one to ||-PC7|'(/>) || 2 . We have 



\P 



\PU 



< 
< 



\P\ 
\P\\ 



-PU 
\I-U 



= 2 max 1 1 sm(2n9j/(2n))\\ 
< 2sin(vr/32). 



(30) 



The upper bound on [|J — U\\ follows by noting that the entries of the diagonal matrix I — U are 

1 _ ^niOj/n and 

using the above identity for the absolute value of expressions of this form. Let 
||P|?/>)|| = x and ||PJ7|^)|| = y. Then equation (1301) implies the desired result since 



(31) 
□ 



y >{x 

where we used equation ([29]) in the last step. 



2sin(vr/32)) 2 > ^1 - 2sin(vr/32) - (1 - c s ) 
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We pause to make two observations regarding the application of this result. First, we must ensure 
that \J\/n > (1 - Cff)/(1 - 2sin(vr/32)) for 5 G [0,1). Second, the choice of \9j\ < ra/32, can 
be improved in that we can tolerate a higher perturbation, depending on the actual value of d. 
Although, we retain this bound on 0j throughout this paper for the sake of a clearer exposition, 
optimizing this bound on 0j based on 8 will enable us to obtain better bounds on the success 
probability of the quantum algorithms. 



3.3 Presentation and proof of the quantum algorithm 

Now we shall give a quantum algorithm for estimating the period of a pseudo-periodic state. In 
general, these states arise from some periodic functions, therefore the proposed quantum algorithm 
can be used to estimate the periods of such functions. 

Theorem 11. Given a pair of pseudo-periodic states whose period S 6l is bounded as M > S > 1, 
then with a probability S~2(l) and in time poly(log S) , Algorithm^ gives a list of real numbers C such 
that for some S G C, we have \S — S\ < 1. Further, \C\ = O(polylogS) and the success probability 
is given by 

P„ > ~ - I)' (l - ff (sinc(i + 1) - 2sin(vr/32)) 4 (32) 
where M 2 < q < 2M 2 . 

Algorithm 1 Approximate period of pseudo-periodic states 

Require: A pair of pseudo-periodic states in C g with period S 6 I, where M is an upper bound 
on S > 2 and q is an integer such that S 2 < M 2 < q < 2M 2 . 
1: For each pseudo-periodic state, apply a Fourier transform over 7L q and measure to obtain c and 
d. 

2: Compute the convergents Ci/dk of c/d where di < [q/32\. 
3: Return C = < [ciq/c] \ di < [q/32\ > as candidates for S. 



Proof. Assume that the pseudo-periodic state is as follows: 

|VA 0j s = ^=£|Lo + jS]>. 
V W I je j 

where J = {0, 1, . . . ,p — 1} and p G { [q/S\ — 1, [q/S\ , [q/S\ + 1}. Since we are Fourier sampling, 
we may assume without loss of generality, that o = 0. Therefore, the measured distribution will be 
the same as the one induced by Fourier sampling the following state: 

= ElL^D (33) 

Taking the Fourier transform over 7L q we obtain 
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The Fourier transform at \£) has the amplitude 



(35) 



We seek to find a lower bound on the probability of obtaining outcomes £ of the form [^], where 



m 6 {0, 1, . . . , [5J}. For a given m, [m^] denotes either the floor or ceiling so that that 
[m%] + ee with \ee\ < \. The probability of observing I is given by 



E< 



(36) 



To bound this probability, we consider the exponent of u p 



pSe e p5j€e pmSj 

pmj H j H * 1 

q q S 

pSe e p5j€t pmSj 
pmj H j H h 



5 



(37) 



The first term is a multiple of p, implying that it can be omitted in the exponent. The factor 
5 = in front of j in the second term is less or equal to (1 + S/q)/2 < (1 + 1/5) /2. The absolute 
value of the sum of the third and fourth terms is less or equal to p/32 provided that m < [5/32J. 
In this case, the phase perturbations 9j caused by these two terms satisfy equation (|24a[l . Further, 
\J\ = p ensures that equation ()24b|) is also satisfied and we can apply Lemma [TUl We conclude 
that the probability of obtaining \£) is 

where the last inequality follows from p > [q/S\ — 1 > q/S — 2. So the probability of obtaining 
any "good" £, i.e. m £ {1, . . . , [5/32 — lj}, is at least /3, where 

= (I " 2 ) (I " i) ( Si,K (5 + h) ~ 2si »C/32)) 2 , (38) 

where we used that [5/32 — lj > (5/32 — 2). The measured value £ is a multiple of q/S rounded 
to the nearest integer i.e. £ = [mq/ S] for some m. 

Unlike the case of period finding algorithm where the period is integral, the period 5 of \ip) ,S 
cannot be reconstructed with Fourier sampling one (pseudo-periodic) quantum state. However, 



1 

W\ 



|Li51[mf] 



> 



> 
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as shown below, we can reconstruct using the method suggested by Hallgren in [13]. Suppose 
we have two measurements c = [kq/S] and d = [Iq/S], obtained by Fourier sampling the pair of 
periodic states, then k/l occurs as a convergent of c/d and we can compute an integer close to S 
by computing [kq/c\. Without loss of generality assume that < k < I < [S/32\. Assume that 
c = kq/S + e c and d = Iq/S + e d where —1/2 < e c , e d < 1/2. Then 



kq + e c S 



< 



Iq + e d S 
S{l + k)/2 



l 2 q-Sl/2 
1 



Iq/S- 1/2 



k 

7 

< 

< 



S(e c l - e d k) 



l 2 q + e d Sl 
SI 



l 2 q-Sl/2 
1 

272' 



under the assumption that < k < I < [5'/32j and q > S 2 . Thus k/l is a convergent of c/d. Since 
I < [5'/32j , we only need to compute the convergents Ci/di whose denominators di are less than 
[g/32j . We now form the list of candidate estimates for S as 



£={[aq/c] | di < U//32J}. 



(39) 



As the di grow exponentially, \C\ = 0(polylog(|5|)). 



Since k/l is a convergent of c/d, we know that there exists an estimate S = [kq/c] E C. We now 
show that S satisfies |5 — S\ < 1. Let c = kq/S + e c and S = kq/c, where |e c | < 1/2. Then, we can 
bound \S — S\ as 



\S-S\ 



S 



s 



< 



1 + e c S/kq 
e c /k 



< 



e c S 2 /kq 



1 + e c S/kq 



1 + e c /kS 



because q > S 



< 
< 



1 



2k 1 
1. 



1 + e c /kS 

1 1 
- l/2kS ~2k' 2 



We now compute a lower bound on the success probability of the algorithm. We have already 
seen that the probability of a pair of good measurements is given by ()38|) . In order to be able to 
recover the period S, we require k and I to be coprime. By Lemma [20} the probability that k, I 
are coprime is at least 1/2. Thus the overall success probability of the algorithm is greater than 

/3 2 /2 = n(i). □ 



The algorithm does not return a single value for the period but rather a small list of candidates for 
the period. This presumes a post processing step by which we can single out the solutions. 

Further, we note that the previous algorithm uses a pair of pseudo-periodic states and if these 
states are being prepared probabilistically, then we must factor that into the success probability of 
the algorithm. 
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4 Quantum algorithm for approximating the circumference 



Our goal is to set up pseudo-periodic states whose period is a multiple of the circumference of an 
infrastructure. Then the quantum algorithm of the preceding section can be applied to extract an 
integer close to the circumference. With this knowledge, the circumference can be computed to the 
desired accuracy by a classical algorithm. 

4.1 Pseudo-periodic states from infrastructures 

In section [2~U| we showed that an approximate version hofh can be computed so that properties PI, 
P2 are satisfied. For this approximate version to be useful, it is necessary that the /-representations 
at the evaluation points meet the condition stated in equation (|14p . In this subsection, we show how 
to satisfy this condition which allows us to compute h so that the first component is always correct 
and the error in the second component is under control. However, h does not induce the periodic 
states that we discussed in the previous section. To create a periodic quantum state it is essential 
to work with a "quantized" version of h. Therefore we introduce the function /ijy : Z — > X x Zby 
setting 

h N (i) = (x,[fN\), (40) 

where h(jj + = (x, /). When P2 is satisfied, it is helpful to interpret in the following way: 
hN(i) = (x,k), then k is the number of sampling points between d(x) + [(i/N + j / L) / R\R and 
i/N + j/L. 

The incorrectness in h cannot be avoided if the evaluation points r are chosen arbitrarily. As already 
stated in Lemma El we assume that the evaluation points are of the form k/L for some large integer 
L and bounded k. Even so, we cannot evaluate always h correctly for every k. Therefore, we further 
restrict the evaluation of h to a subset of the points which are uniformly spaced along a bounded 
interval, where N divides L. We choose N > [2/d m ; n ] so that there are at least two evaluation 
points jj and between any two adjacent elements of I. This is shown in the figure below. The 
dashed lines indicate the sampling points. 

bs _1 (x) x bs(x) 



r = i- 
' N 

But this is still inadequate to satisfy equation f)14|) . as some of the evaluation points could be very 
close to elements of the infrastructure. So we shift all the evaluation points by a random offset of 
the form 4, where j is chosen uniformly at random from {0, 1, . . . , -4 — 1}. This is shown in the 
figure below. The solid lines indicate the shifted evaluation points and they are still of the form 
k/L. 

Now we can show that with high probability equation (|14() is satisfied and can use Lemma to 
guarantee that h can be computed with the precision stated in equation (|T5|) . 
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bs (x) x bs(x) 



± + L 
L ^ L 



Lemma 12. Let N > [2/cZ m i n ] . Suppose we evaluate at points i/N + j/L for i G {0, . . . ,q— 1}, 
where j chosen uniformly at random from {0, 1, ... , L/N — 1}, and L is an integer such that 



L > N 



2k 



(1-Ph) 



Nd- k 



(41) 



Then with probability greater or equal to ph, no sampling point i/N + j/L is closer than 1/L to any 
element x of the 1, i.e., 

| (d(x) - i/N - j/L) mod R\ > 1/L. (42) 

Proof. By assumption A7 there are at most k\q/Nd^\ elements of X in the interval [0,q/N]. There 
are L/N possible offsets to choose from. Since the offsets are spaced at 1/L, any element x € I can 
be within a distance of less than 1/2L for at most two offsets. The fraction of offsets that are not 
useful is given by 2k\q/ N d^\ / {L / N) < 1 — Ph provided that L is chosen as in equation (jUj) . □ 

When L is chosen according to Lemma fT2| we have h^{i) = (x, [fN\), where h(jj + 4j) = (x,f). 
We use x instead of x on purpose to emphasize again that the first component is correct. It is 
crucial to observe that \_fN\ is equal to [fN\ . This is because P2 holds and no evaluation point 
is within 1/L of any element of the infrastructure. 

The preceding results imply that h^(i) can be computed efficiently and correctly. 

Corollary 13. If Lemma [TH holds, then for all i with < i < 2N 2 R 2 the value /ijv(i) = (x, [fN\) 
is equal to (x, [fN\), where h(i/N + j/L) = (x,f) and h{i/N + j/L) = (x,f). 

Next we show that hjy when evaluated over a finite interval induces a periodic state with probability 
greater than or equal to 1/2, if we assume that no sampling point is too close to any element of 
the infrastructure. 

Lemma 14. Let N > \2/d min ] and let |V>) = q~ l/2 Ef=o N)IM*)>- We assume that no element 
of the infrastructure is too close to the sampling points i/N + j/L, where j and L are chosen as in 
Lemma \1SX Then, with probability greater than 

1 1 W 2NR\ , , 

1 " ^73 TFB 1 " — (43) 



Nd miQ NRJ\ q J 
measuring the second register of induces a periodic state with period NR, 

1 

WwR = -=52\[k + tNR]), (44) 

where p is equal to one of the valueE [q/NR\ - 1, [q/NR\, or [q/NR\ + 1. 

4 Note that N > [2/dmin], implies that ^7? > 2, and therefore, p must be at least [q/NR] — 1. 
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Proof. Denote the measurement outcome by (x,m). First, we show that if (x,m) satisfies a cer- 
tain condition, then the resulting post-measurement state is a pseudo-periodic state. Second, we 
estimate the probability that we obtain such measurement outcome. 

Assume that h^ik) = (x,m) for some k G {0,..., L-^V-RJ}. Then, in £th period the sampling 
points are at a distance ag + mg/N for mg G {0, 1, . . . , L-/Vbs(x)J} from the element x. Under the 
assumption of Lemma [T2"l 1/L < ag < 1/N — 1/L. 

Consider now the sampling points for the zeroth period and some other period £ ^ 0. 

bs(x) 
0*7 m ) ^ , | 

"o I k-1 k k + 1 



\ a t\ 



(x,0) (x,l) 



Then, the following cases arise: 1/L < ag < ao, and ao < ag < 1/N — 1/L. As can be seen 
from the figure above, if 1/L < ag < ao, then we must have hjsr(k) = hj\r(k + [£NR\). On the 
other hand, if ao < ag < 1/N — 1/L, then it is clear that hjy(k) = h^ik + \£NR~\) unless k 
corresponds to the last sampling point between the elements x and y = bs(x) since in this case 
h N (\k + £NR]) = (y,0)^h N (k). 

On the one hand, if k does not correspond to the last sampling point between two adjacent elements 
of I, then for all £ G {0, 1, ... ,p — 1} we have h^{k + [INK]) = h^{k). On the other hand, if k 
corresponds to the last evaluation point between two elements, then the preimage may not contain 
all £. 

We now estimate the probability of obtaining an outcome (x,m) such that h^j{k) = (x,m) and 
the offset k G {0, . . . , L^-RJ} does not correspond to the last evaluation point between any two 
elements. 

There are [NR\ + 1 possible offsets in the zeroth period. At most \R/d m - m '\ of these can correspond 
to last evaluation points between two elements. We know that the preimage of a "good" measure- 
ment outcome (x,m) contains at least [q/NR\ — 1 elements. So, the probability of obtaining a 
good measurement outcome is at least 

([NR\ + 1 - \R/d min \) • {[q/NR\ - 1) 



^periodic 



q 

> (NR-R/d min -l)(q/NR-2)/q 
1 1 W 2NR\ 

1 ~ Nd~ ~ NRj V 1 " ~^T) ■ 



□ 



4.2 Presentation and proof of the quantum algorithm 

Theorem 15 (Estimating the circumference to arbitrary accuracy). Let I be an infrastructure 
satisfying the assumptions A1-A7. For any 5 > 0, there is an efficient Las Vegas algorithm that 
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outputs an estimate R of the circumference R of I such that \R — R\ < 5. 

Let N > [2/(i m i n ] ; S = NR, ph the probability of evaluating hjy correctly, and p per iodic the probability 
of creating a periodic state, see equation (]43p . Then, the classical algorithm invokes Algorithm 1 
an expected 0(l/g success ) number of times, where Success is 

— > - |) 2 (l - ff (si„c(i + i) - 2„))'. (45) 

T/ie classical computations take poly(log(i?), log(l/5)) time. 

Proof. We first create an pseudo-periodic state in C 9 , where q is chosen as specified by Algorithm [TJ 
We create the superposition 

1 9-1 

m = -7=5>>imo>- 

If the conditions of Lemma fl2l are satisfied, then \ip) will be created correctly with a probability p^. 
Then by Lemma [T4l measuring the second register of the state results in a periodic state \ip)k,NR 
with probability > 1/2, where p £ {Lo'/'S'J — 1, [q/S\, [q/S\ + 1}. Algorithm Q] returns £, a list of 
candidates for S, which contains an element S which satisfies \S — S\ < 1. The probability of this 
event is 

PrCS - S\ < 1) > PfePperiodicPsuccess , (46) 

where ^success is defined in equation (|32l) . The factor of P^Ppeviodic ^ s °^ue to the fact that the 
Algorithm Q] needs to create a pair of the pseudo-periodic states. 

Assume that IS" — S\ < 1 is present (of course, we do not know this). This is equivalent to 
\R — R'\ < 1/N, where R' = S/N. We actually check for a slightly weaker condition namely, 
\{R - R') mod R\ < 1/N. But this suffices. 

Recall that we always choose > [2/d m j n ]. This implies that either h(R') = (xo,f) with / < -k 
or h(R') = (bs _1 (xo), g) with g > Ab s (bs _1 (xo)) — 1/N. If we evaluate h, the approximate version 
of h, at R' with precision <5p rec < 2lv, then it remains the case that we can only obtain either (xo, f) 
or (bs _1 (xo), <?)• If so we can conclude that \R — R' mod R\ < 1/N. 

Now assume that \(R — R') mod R\ > 1/N holds. In this case, we may or may not encounter 
bs _1 (xo) or xq by evaluating h at R'. 

Because our test actually checked for \(R — R') mod R\ < 1/N, we could have some spurious 
solutions when R' is a multiple of R. If this is the case, then we return the smallest such R' as 
satisfying \R — R'\ < 1/N. We then obtain an estimate for R as follows. 

Once we have encountered bs _1 (xo) or x$, we can compute h(R') with precision 5/2. If we obtain 
(bs _1 (xo), g), then we set 

R = R' -g + A^bs-Vo)), (47) 

where we compute the distance Ab s with precision 5/2. If we obtain (xo, /), then we set R = R' — f. 
All these computations can be carried out in poly(log(i?), log(l/<5) time. 

The expected number of times we have to invoke the quantum algorithm to encounter bs _1 (xo) or 

Xq is clearly at most 1 / ^success • 
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There is a subtle point worth spelling out. In each run of the algorithm, there are two evaluations of 
h]\f. We assume that the same random shift is used in both these evaluations and in any subsequent 
0(l/g succe ss) runs. Only if the algorithm fails in all these runs do we change the offset and repeat 
the process. 

Finally, it can be easily verified for sufficiently large S, say S > 256, the lower bound on the success 
probability is greater than a constant, irrespective of the size of the problem. 

The proposed algorithm when specialized to number fields improves upon |13j in the following as- 
pects. The probability of success of the proposed algorithm is lower bounded by equation ([32]) which 
is a constant 10 -5 as opposed to [13] for which the success probability decreases as 0(1/ log 4 (M)), 
where M > NR and is lower than 10 -9 , see |13] Claim 3.5 and Lemma 3.4] therein. As the expres- 
sion indicates the success probability of the algorithm decreases with increasing circumference and 
the performance gap with respect to our algorithm increases. Our lower bound is better than the 
lower bound of [19], namely 2 -26 . Our result also implies fewer repetitions to boost the probability 
of success, thereby lowering the complexity of the algorithm. In addition, the proposed algorithm 
requires a smaller Quantum Fourier transform, thereby lowering the number of qubits and circuit 
complexity. 



Quantum algorithm for solving the generalized discrete loga- 
rithm problem in infrastructures 



In this section we give a quantum algorithm for the discrete logarithm problem. Given an element 
x of an infrastructure I = (X, d) we are required to find the distance of x, namely d(x). 

The function that is of interest in the computation of the discrete log problem is given by g(a, b) : 
Zxl-jlxl where g(a, r) = a ■ (x, 0) + h{r). By Lemma [9] we can compute g the approximate 
version of g, so that it satisfies properties PI, and P2. 

As in the circumference case, we evaluate g at carefully selected points to ensure that the first 
component is always correct and quantize the second component. This resulting function is 
g N (a,b) :ZxZ4lxZ 



gN{a,b) = [y, fN 



(48) 



where g(a,b/N + j/L) = (yj). 



The first component of g^ is correct provided that equation (|14p is satisfied for all evaluation points 
of gw, i.e., none of the evaluation points are closer than 1/L to any element of the infrastructure. 
As in the case of /itv, we achieve this with high probability by applying a random shift of the form 
j/L. The following lemma shows how to find a suitable L. 

Lemma 16 (Offset for DLOG). SupposeX is an infrastructure that satisfies the assumptions Al-1. 
Let A C {0, 1, . . . , A - 1} and B C {0, 1, . . . , [RN\ - 1}. Let 



L > 



2Ak 
(1-Ps) 



N. 



(49) 
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Let j E {0, L/N — 1} be chosen uniformly at random. Then, the probability that 



b j 

(ad x H 1 d v ) mod R 

N L y 



1 

> — 
~ L 



(50) 



holds for all (a,b) £ A x B and all y E X is greater or equal to p g . 



Proof. Consider a fixed a E A, then all the points ad x + b/N + j/L are contained in the interval 
[ad x + j/L, ad x + (\_RN — lj )/N + j/L]. This interval contains at most k\(R — l/N)/d^ \ elements 
y E X since its length is \_RN — 1\/N < (R — 1/N). Observe that no y E X can be closer than 
1/L to any evaluation point of the above form for more than two offsets. 

Hence, if we consider all a E A, then at most 2Ak\(R — l/N)/d^\ offsets are bad. Assuming L as 
stated above, this implies that the probability that there is at least one element and at least one 
evaluation point that are closer than 1/L to each other is at most (2Ak(R — l/N)/d^)/(L/N) < 
1-fV □ 

We always compute R with sufficiently high precision so that \R — R\ < 1/(2N) holds. Then, we 



have R > R — 1/2N and a suitable choice for L would be 



2Ak 



R/d- k /(l-p g ) 



N. 



In the quantum algorithm for approximating the circumference, we encounter superpositions of the 
form: 



1 



\a)\(x,m)), 

,m 



where Ax,m has the special form {[k + jRN~\ : j = 0, . . . ,p} and (x, m) is equal to h^ik). 

A somewhat similar type of quantum state appears in the discrete logarithm problem. A major 
difference is that it involves a function of two variables 



(a,b)ej 



where Ay/ is now the fiber over (y,£) E img^r, i.e., g^{a,V) = (y,i) for (a,b) E A Vi £. 

The intuition based on Lemma El which characterizes the kernel of the perfect function g, suggests 
that the elements in A y / lie "close" to a line whose slope encodes the distance of the element x. 
This statement is proved in Lemma [T71 which establishes the exact relation between a and b for 
qn • Lemma [T8l establishes upper and lower bounds on the size of the preimage of (y,i). 

The intuition based on the quantum algorithm for the discrete logarithm problem in finite cyclic 
groups suggests that we can extract the slope by Fourier sampling. This statement is proved in 
Theorem [19j 

Lemma 17. Let 7^ A C {0, 1, . . . , A — 1} where A is a positive integer and B C {0, 1, . . . , |_L?A?"J — 
1}. Denote by qn{A x B) the image of the function g^, i.e., 



g N (A xB) = {g N (a, b) : a£A,b£B} 



(51) 
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For each (y,£) € gN(A x B), the preimage g N 1 (y,£) has the form 

9n 1 {v,£) = {(a,b a ) : a € Ay/} , 



(52) 



where A y> £ C „4 and assuming that a random shift of j/L has been applied to the evaluation points, 
the values b a satisfy the condition 



nrl -4- 2a -l_ L 

R 



R + d y + 7 a + 



N 



adx + N + L 



with 1/L < j a < 1/N — 1/L. The cardinality of the image satisfies the inequalities 

\B\ < \g N (A xB)\< [R(N + l/d min )J . 



(53) 



(54) 



Proof. Let (y,£) S §n(A x B) be arbitrary. Suppose that (a,b a ) S g N 1 (y,£). Then we must have 



dy + N + la 



ad x + + y mod R 



a4 + iv + I 



Qrfx + 77 + j 
R 



R. 



where 1/L < 7 a < 1/iV — 1/L. This constraint on 7 a is due to the fact that none of the sampling 
points are within a distance of less than 1/L from the elements of the infrastructure. 

The second component £ is bounded from above by 

£ < NA hs (y) 

since the inequality 



ad * + W + T 
R 



R + dy + ~j a + — < 



nrl -4- 2°. J- L 

uu x i jv ~ x, 

R 



R + d y + A hs (y) 



holds for all (a,b a ) with 57v(a, 6 a ) = (y,£). This implies that the number of images whose first 
component is equal to y is at most NAb s (y) + 1. Summing over all elements of the infrastructure 
yields the upper bound RN +R/ d m \ n . We can improve this to [R(N + l/d m i n )J since the cardinality 
of gN{A x B) is an integer. Hence, |oat(^4 x B)\ < [R(N + l/d min )J. □ 

A condition similar to equation (I54j) has been established in [13] for the principal ideal problem. The 
condition as derived in |13| may not be satisfied for some infrastructures. Therefore, we relax this 
constraint and clarify certain crucial assumptions on the size of the preimage in Lemma [THJ 
Lemma 18. Let A and B be as in Lemma [77[ Consider the probability distribution p = (p y /) on 
gN(A x B) where the probabilities of the elementary events (y,£) are given by 



Py,i 



\9n\vM 
\A\\B\ 



(55) 



Let X be the random variable that takes on the value \g N (y,£)\ if the event (y,£) occurs. Then, we 
have 



1 



Pr (X > k\A\) > 

1 tv 



\B\ 



[R(N + l/d min )J 



(56) 



for any k G (0, 1). 
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Proof. The expected value E[X] is bounded from below by 

E[X] = Y.Py^9 N \y,i)\ 

= \A\\B\J2ph 

M 

> \A\\B' ' 



9n(A x B)\ 
> \A\\B\ ' 



[R{N + l/d min )J • 

We used that the sum ^^Vyi * s minimized when probability distribution is uniform on gw(A. x B) 
and \g N (A X B)\ < [R(N + \/d min ) J . 

Let t = Pr(X > kE[X]). Then, we must have 

t\A\ + (1 - > E[X] > \A\ \B\/[R{N + l/d min )J 

since X is bounded by \A\ from above. The desired lower bound on t follows now easily. 

Theorem 19. Let I be an infrastructure containing at least 3 elements and satisfying the axioms 
Al— A7. For all x £ X, Algorithm® returns an integer d x such that \d x — d x \ < 1, where d x is the 
distance of x. 

Let p g be the probability of correctly evaluating gjy and tz a real number with (1 — sinc(3/4))/(l — 
2sin(7r/32)) < k < 1 — 2/(2q + 1). Then, the success probability of the algorithm is fJ(l) and at 
least 

( 2 \ 2 k 2 ( r Tr s (1 -sinc(3/4))\ V 1 2\ 2 

p max ( 1 — — l-2sin — \-LJl (57) 

yg k \ (2g + l)(l-Ac)y 2 V 32 7 k J \U B ) y ' 



where B 



RN 



and q is chosen as in Algorithm® 



Algorithm 2 Generalized discrete logarithm. 



Choose M > \2R + l\. 
Determine R and N such that 

integer with q < 4M. Set B = 



M 
RN 



RN 



MRN 



< 1/2 and N = q\2/d m \n\ for a positive 



and A = MB. 



Choose L 



2Ak 



N. 



2} twice. 



R/dj, /(1- Pg ) 

Evaluate g^ in superposition over {0, 1 . . . , A — 1} x {0, 1, . . . , B 
Fourier sample over Za X Zb to obtain (hi,ki) and (^j^)- 
Find integers s,t such that ski + ^2 = 1) using the extended Euclidean algorithm. 
Compute r 



shi+th2 
NM 



Return d 7 



r/R 



R. 
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Proof. We compute an estimate R such that 

\R-R\<€< 



16M 2 \2/dn 



We now show that there is an efficient method that determines positive integers B 
N such that 

1 



RN 



(58) 
and 
(59) 



\MB - MNR\ < - . 

To do this, we bound this deviation by 

\MB - MNR\ = \M[NR] - MNR + MNR - MNR\ (60) 
< \M[NR] - MNR\ + MNe (61) 

The efficient method in Lemma [2~T1 gives us a convergent p/q with q < 4M such that 



^-R\2/d B 



< 



AMq 



(62) 



The numerator p has the form R\2/d m i n \q . The bound in equation (162f) and the form of the nu- 
merator directly imply that iV = g[2/<i m i n ] has the desired properties. Both terms in equation (|6ip 
are smaller than 1/4 for this choice. 



Observe that B — 2 



RN 



-2 < L-^-^J — 1 because R has been computed with such high precision. 
We define the sets B = {0, 1, . . . , B - 2} and A = {0, 1, . . . ,A - 1}. 

We create the superposition 

Vl^ll^l aeAbeB 

We know that with probability greater or equal to p g all the values 5at(o, b) are correct. 

We measure the third register. Denote the outcome by (y,£). Lemma [T8l guarantees that \Ay/\ > 
k\A\ holds with probability greater or equal to 



Pk > 



1 



\B\ 



1 - k \ [R(N + l/d min )J 
Since N = q\2/d mill ~\ , we can bound p K 

1 / NR - 3 

Pk > 



1 - k \NR(1 + l/2q) 



> 



1 



2q - 1 



1 



(63) 

(64) 
(65) 



1-kV.2<? + 1 7 " (2g + l)(l-*s)' 
where we used the assumption that I has at least 3 elements and therefore R > 3d m i n , and NR > 6q. 
Lemma [T7] implies that the post-measurement state has the form 

1 



(66) 
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and there exists a unique b a for each a S A v e such that 



b a = -ad x N + 



ad * + 77 + j 
R 



RN + d y N + la N + £- 3 -^- , 



(67) 



where 1/L < ~f a < 1/N — 1/L. We rewrite the condition on b a as 



b a = -ad x N + 



where A = d y N + I — jN/L is constant. 



ad x + 77 + T 
R 



RN + la N + A 



(68) 



We apply the quantum Fourier transform over x to the first registers and obtain the super- 
position 

1 1 



B-l 



The amplitude of the term \h)\k) is given by 



h+Mbk 



1 1 



1 ,, a - 



h+Mb a k 



(69) 



(70) 



eA 



The exponent of uja in the previous equation is 



ah + MA; -ad x N + 



ads + 7a + 77 + j/L 
R 



NR + 7 a iV + A 



(71) 



The term MkA is independent of a and can be dropped from the exponent since it does not change 
the probability distribution. 



We now show that we obtain a sample (h, k) such that 

kd x 



h = kd x MN 
holds with high probability^ 



R 



MNR + e h with \e h \ < ± 



(72) 



As shown previously, N is chosen such that MNR — M 



NR 



7] with |^| < I. To simplify the 



notation, we use x to denote the distance d x of the element x throughout the rest of the proof. The 



The reason that we consider samples that have this particular form is as follows. Rearranging the terms in the 
exponent we see that the sum is dominated by the terms ah — (kd x /R)MNR + k[(ad x + "f a + b a /Nj/L)/R\MNR. 
The exponent can be approximated as ah — (kd x /R — \ad x /R\)MNR. Therefore, the probability of (h, k) which is 
determined by the geometric sum 



ABA 



E 



ah + Mb a k 



1 



ABA 



E - 



is large when h — (kd x / R — [kd x /R\)MNR + eh, where eh is to ensure that h is an integer. 
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exponent of oja modulo A is 



a ( kxMN 



kx 



R 



+Mk -axN + 



MNR + e h 



ax + j a + ^ + j/L 



R 



V 



ax + ~f a + ^+ j/L 
R 



ax + j a + ^+ j/L 



kx 
~R 



R 



kx 
~R 



NR + la Nj 
MNR + e h a + MNj a k 
) + e h a + MN la k 



rj I k 



( kx 



fax 
. \-R +5a 
r\b a k - rj(a + e^a + MNj a k 
5a + 6 a . 



+ e h a + Mkj a 



(73) 



The (constant) factor 5 := eh — rj( in front of a is less than 3/4 in absolute value (eh < |, C < 1 
and ?? < i). Assume we measure k < [B/64\ — 1. Then, for each a the term # a := (r]5 a + MNj a )k 
is less than A/32 in absolute value (since \5 a \ < 2 and |7 JV| < 1). 

We can now apply Lemma [TU1 to bound the probability of measuring (h, k) as in equation (|72P ; we 
denote this probability by phk- Note that A corresponds to n, the summation index a to j and A Vi £ 
to the set J7 in the Lemma [TU1 



The probability phk is bounded from below by 

\Ay 



Phk 



> 



AB 



^1-2 sin(vr/32) - (l - sinc(3/4)) 



(74) 



where eg is as in Lemma [TUl 



The probability of any good pair (h, k) (with the restriction k < \_B/64\ — 1) is bounded from below 
by 

iV /J_ _ 2_ 
k) V64~I? 

where we used that \Aye\ > k\A\ and [B/64 - lj > B/64 - 2. 



1-2 sin(vr/32) - ( 1 - sinc(3/4) 



(75) 



We now show how to obtain an estimate of the distance of x from two good pairs (hi,k\) and 
(^2> ^2) with the additional restriction that k±, k-z are coprime. This is based on the method in [13]. 
We have hi = kixNM — [k{x/R\RNM + ej with \e{\ < ^. Since fci, &2 are coprime we know there 
exist integers s,t such that ski + ^2 = l s which can be computed by the extended Euclidean 
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algorithm. Let r = (sh\ + th-zj/MN , then we have 



shi + th 2 
MN 



sk\x 



k\x 
~R 



R 



sei 



MN 



+ tk 2 x — t 



k 2 x 
~R 



R + 



te 2 
MN 



(ski + tk 2 )x — s 
k\x 



R 

x — mR + e r , 



R-t 



k\x 

~R 
k 2 x 
~R 



R-t 
R + 



kox 



R 



R 

set + te 2 
MN 



sei + te 2 
MN 



where e r 
that e r = 



(sei + te 2 )/MN. Since < max{/ci, k 2 }, and ki,k 2 < 



< 



[RN\ 



RN 



/32, it follows 

< 



MN ^ MN < 1/2 by our choice of M. Furthermore, \m\ < NR/8, as |r 
2M[NR][NR]/32MN < NR 2 /8. 

We can estimate x by reducing r modulo R to bring it within the range [0, R). This gives us an 
estimate x = x — m(R — R) + e r and the error \x — x\ can be bounded as follows: 

\x — x\ < \m(R — R)\ + e r < \me\ + \e r \ 

NR 1 , 



< 



8 16M 2 [2/tZj 

where we used the fact that M > 2R and iV < 4M[2/d : 



+ kr 



and |e r | < 1/2. 



The probability of measuring two good samples (hi,k±) and (h 2 ,k 2 ) such that k±,k 2 are coprime 
is given by 



> ^(p K p hk (lM-2/B)) 2 Pg , 



Psuccess 

where p g is the probability of evaluating qn successfully. 



(76) 
□ 



We make the following observations regarding the success probability of the quantum algorithm. 
First, a simpler lower bound on the success probability can be obtained without having to maximize 
over k in equation ([5?]) . by evaluating this expression at k = (k\ + k 2 )/2, where K\ = (1 — c^)/{l — 
2sin(7r/32)) and k 2 = 1 — 2/(2q + 1). We also note the expression can be further simplified to be 
completely independent of of the size of the infrastructure as follows. 

Second, under the assumption that R > 256 and q > 8, we can bound (1/64 — 2/B) > 1/128 and 
2/(2q + 1) < 1/8, and the lower bound on success probability simplifies to a constant independent 
of the problem size. 



max 



Pg 



1 



1 



1 



2sin(— ) 
y 32 J 



(1 



Binc(3/4)) W 1 V 
K J \128J 



(77) 



Although the expressions for the success probability may appear to be a little unwieldy, we hope 
they provide insight into the various factors affecting the success probability. 

Third, we can boost the success probability (strictly speaking, the lower bound on it) by increasing 
1- 
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Fourth, we can truly improve upon the success probability by extending the set of usable obser- 
vations (hx,ki) and (fojfo)- Currently, we require that k{ < \_B/64:\, but this can be relaxed 
significantly. 
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Appendix 

We prove here some auxiliary results. 

Lemma 20. Let a and b be two random numbers chosen uniformly at random from {l,...,iV}. 
The probability that a and b are coprime is bounded from below by 1/2, i.e., 

Pr(gcd(a,6) = l)>i. (78) 

Proof. Let p be an arbitrary prime. Then the probability that p divides a, denoted Pr(p | a), is 
given by 

L-J l 

Thus, 

Pr(p | gcd(a, &)) < . 

We obtain an upper bound on the probability that there is a prime dividing the greatest common 
divisor of a and b with the help of the union bound. This yields 



Pr(gcd(a,6) > 1) <J2^2 



V 
v 

where the summation index p ranges over all primes. The sum of squared reciprocals of primes is 
known to be 



J2~2 = Y1 ^iT ln ^ 2k ^ = 0-4522474200 . 



p2 Z-^ 

V k=l 

where fi denotes the Mobius mu function and £ the Riemann zeta function [H page 95]. Finally, 
we obtain the desired result 



Pr(gcd(a,6) = l)>l-^4>i 



V 
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by considering the complementary event. 



□ 



We now prove a result related to continued fractions. The reader can find more details about 
continued fractions in [3]. 

Lemma 21. Let pi/qi denote the convergents of a real number r £ M, for i £ N. Then for any 
given constant c > 1, there exists a convergent pt/qi such that \r — pijqi\ < 1/cqi and qi < c. 

Proof. Since c > 1 = qo and q% form a monotonically increasing sequence for i > 1, there exists such 
a convergent pi/qi such that qe < c < qi+i unless r has a finite continued fraction expansion with 
all the qi < c. If the latter case occurs, then it follows that there exists a convergent pt/qi such 
that r = pi/qi therefore for this convergent \r — p/q\ = < 1/c and the statement of the lemma 
holds. Otherwise, r has a continued fraction expansion such that qe < c < qi+\- We know that the 
convergents satisfy the relation 

1 

< . 

Therefore, we must have 

1 1 

qeqe+i cq £ 

where we used the fact that q £+ i > c. □ 



Pi 
Qi 
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